Fair Use: Please note that use of the Netcraft site is
subject to our Fair Use and Copyright policies. For more information,
please visit http://www.netcraft.com/about-netcraft/fair-use-copyright/,
or email info@netcraft.com.

BBC websites still suffering after DDoS attack

Since suffering a crippling DDoS attack on New Year's Eve, some BBC websites
are still experiencing significant performance issues.

Around 07:00 UTC on 31 December 2015, the main BBC website at www.bbc.co.uk was
knocked offline
after being subjected to a distributed denial of service attack. For the
following few hours, requests to the BBC website either eventually timed out, or
were responded to with its 500 Internal Errortest card
page. A group called New World Hacking later
claimed responsibility
for the attack, which it carried out as a test of its capabilities.

Requests that did not time out were eventually met with the BBC test card error page.

The British Broadcasting Corporation is the public service broadcaster of the United Kingdom, and the outage had a significant impact on its user base: The BBC's news,
sport, weather and iPlayer TV and radio catchup services are all delivered via
www.bbc.co.uk.

At the time of the attack, www.bbc.co.uk
was served from a netblock owned by the BBC. It seems that service was restored
by migrating the site onto the Akamai content delivery network, after which
there were no apparent outages.

Moving www.bbc.co.uk onto the Akamai CDN
also resulted in some significant performance benefits, particularly from
locations outside of the UK. For example, prior to the attack, most requests
from Netcraft's New York performance collector took around 0.4-0.6 seconds to
receive a response, whereas after the site had migrated to Akamai, all requests
were served in well under 0.1 seconds. These performance benefits are typical when using a
globally distributed CDN, as cached content can be delivered from an edge server
within the client's own country, rather than from a remote server that can only
be reached via transatlantic cables.

Performance chart for www.bbc.co.uk from New York, highlighting the improved response times and successful attack mitigation after switching to Akamai.

However, not all of the BBC's websites have migrated to Akamai, and some of
these are still exhibiting connectivity issues in the aftermath of the attack.
For example,
search.bbc.co.uk and
news.bbc.co.uk are still hosted directly at the BBC, and these are still
experiencing problems today.

The BBC's News service is currently found at
www.bbc.co.uk/news, but up until a few
years ago it used to be served from its own dedicated hostname,
news.bbc.co.uk. This legacy hostname is
still used by some webpages today, but mostly redirects visitors to the new site
at www.bbc.co.uk/news. This conveniently
collates all of the BBC's main online services under the same hostname, but at
the expense of introducing a single point of failure. If each service were still
to be found under a different hostname and on different servers, it might have offered further resilience
to the initial attack.

The performance chart for news.bbc.co.uk shows massive outages long after the DDoS attack on New Year's Eve.

As shown above, news.bbc.co.uk was also affected by the DDoS attack which took down the main
BBC website, but eventually came back online later that day without having to relocate the website. However, the
following morning (New Year's Day), it started to experience significant
connectivity problems.

Most requests to news.bbc.co.uk are still failing.
Some browsers, such as Chrome, may automatically retry the request.

It is unclear whether this indicates a separate ongoing
attack, or an attempt at mitigating such attacks, but nonetheless, it is likely to affect lots of users: Many
old news articles are
still served directly from news.bbc.co.uk,
and some users habitually reach the news website by typing
news.bbc.co.uk into their browsers. Some regularly updated pages also continue
to be served from news.bbc.co.uk, such as
horse racing results.